Method and a device for managing a computer network

ABSTRACT

A method and a device for managing a computer network, especially a technique for ensuring the security of a network. A computer network system in which computers are connected to each other through transmission lines, each computer stores the data which constitutes a moving type software exclusively used for security and transmitted together with a message when the computer transmits the message to another computer of the system, and executes the moving type software by using the stored data upon receiving a message from another computer.

TECHNICAL FIELD

[0001] The present invention relates to a method of and a device formanaging a computer network, and in particular, to a technique forensuring the security of a network.

BACKGROUND ART

[0002] With development of open and global environments of computercommunication such as the Internet, there occur an increasing number ofunjustified practices, for example, to steal a glance at communicationdata or to falsify the data. Moreover, when a countermeasure is devisefor an injustice, there immediately appears another trick for theinjustice. Namely, there occurs a spiral of injustice andcountermeasure. Compared with the conventional system of the past inwhich business and operation are carried out in a closed network of afirm, there exists an increased number of chances of unknown injusticesin the system of today using the open environments. Consequently, therehas been desired a new countermeasure which is not associated with asimple extension of the prior art. Turning out eyes to the immune systemof the human body, the immune system prevents quite a large number ofbacteria and viruses from entering the human body although there existsome exceptions. Additionally, even there appears an unknown bacteriumor virus not existing in the space at present, the immune system cananyhow cope with such bacterium or virus. Assuming the human body to bea computer network and the bacteria and viruses to be injustices ofvarious tricks, it is to be appreciated that there is required an immunesystem for the network. That is, it is desired to implement a function,like the immune system of the human body, to cope with a large number ofunknown injustices taking place in the computer network.

[0003] An article “A Biologically Inspired Immune System For Computers”written by Jeffrey O. Kephart and published from MIT Press in 1994 hasdisclosed heretofore a method of detecting and coping with injustices ina computer network.

[0004]FIG. 9 shows a conventional method. In FIG. 9, reference numerals1001 to 1018 respectively indicate computers each including acommunicating function.

[0005] Assume that a computer virus enters the computer 1001 at time 1and is rejected, and hence the computer 1001 is immune to the computervirus. In the immunized state, the computer retains a state in which thecomputer memorizes associated information to immediately cope withanother invasion of the same computer virus. In this situation, thecomputer 1001 sends a “sterilization signal” to the computers 1002 to1006 adjacent thereto. The sterilization signal notifies that thecomputer of the transmission source is infected with the computer virusand includes a scanning symbol string and restoring information usefulfor the receiving computer to detect and cope with the computer virus.Assume that among the computers 1002 to 1006 having received thesterilization signal, the computers 1002, 1004, and 1006 have alreadybeen infected with the computer virus. Furthermore, it is assumed thatthe computers 1007, 1008, 1011, 1013, and 1018 have also been infectedwith the computer virus at time 1.

[0006] At time 2, the computers 1002 to 1006 beforehand infected withthe computer virus repulse the virus in accordance with thesterilization signal to obtain immunity against the virus. Thereafter,the computers 1002 to 1006 further send the sterilization signal to theadjacent computers. Although the computers 1003 and 1005 not infectedwith the virus obtain immunity against the virus in accordance with thesterilization signal, these computers do not further send thesterilization signal to the adjacent computers.

[0007] In this method, if the speed of propagation of the sterilizationsignal through the network is higher than the infection speed of thecomputer virus, it is possible to prevent infection of the computervirus to some extent.

[0008] However, the known example is attended with the followingdrawbacks or problems.

[0009] First, when two or more points are infected with the computervirus in an initial stage, the method cannot satisfactorily cope withthe infection of the virus. For example, if the infection takes place inthe computer 1010 in addition to the computer 1001 in FIG. 10, thesterilization signal from the computer 1001 is not passed to thecomputer 1010 and hence it is impossible to repulse the virus in thecomputer 1010. As a result, there exits a fear that the computer virusinfected from the computer 1010 possibly invades the network via anotheradjacent computer beyond the computer 1010. Namely, although thecomputer virus is detected in the computer 1001 as the first virusinfection place and the countermeasure is thus known, it is impossibleto sufficiently utilize information of the event for the prevention ofinfection with the virus.

[0010] Second, the sterilization signal is not completely reliable. Forexample, the computer 1002 is invaded by the computer virus at time 1and is hence partly unreliable. It cannot be confirmed at time 2 thatthe computer 1002 is completely recovered. The computer 1008 operates inresponse to the sterilization signal declared by the computer 1002.Actually, however, the computer 1002 is not yet completely recovered atthis point, and hence there is a fear that the computer 1002 sends anincorrect “sterilization signal” to deteriorate the overall network,which is not the object of the signal. In a paragraph of the conclusionof the article above, this point has been described as a problem to besolved in the future.

[0011] Third, consideration has been given only to injustices ofcomputer viruses. For example, an attempt of an unauthorized access froman external device to the computer has not been taken intoconsideration. Such an injustice other than the computer virus cannot besufficiently coped with by the transmission of the sterilization signal.Depending on cases, it is necessary to transmit a countermeasuresoftware for its execution. Moreover, if a “suppression signal” tosuppress operation at appropriate timing is not supplied to thecountermeasure software, there possibly increases the chance of runawayof the software or the like to damage normal functions. However, thispoint has not been described in the above article.

[0012] Fourth, the method provides only insufficient quarantine for datafrom an external network. Heretofore, software called a firewall isinstalled in a place to be connected via the external network;alternatively, when a magnetic disk or a compact disk is mounted, thereis introduced a vaccine software to prevent a program conductinginjustices from entering the associated computers. However, in thepresent stage of art, there exists neither means to confirm reliabilityof the setting of the firewall nor means to guarantee management inwhich the latest vaccine software is activated in each computer.

[0013] Fifth, the quarantine is insufficient for data having possibilityof injustice. The conventional vaccine software (fixed type securitydedicated software) detects, in accordance with past instances ofsufferings, a virus by use of a data layout characteristic to data whenthe virus is parasitic on a file system or a memory. In consequence, itis impossible at present to detect injustices caused by a virus of a newtype.

[0014] It is therefore an object of the present invention to provide amethod of and a device for managing a computer network capable of copingwith simultaneous invasion of computer viruses at a plurality ofpositions of the computer network.

[0015] Another object of the present invention is to provide a method ofand a device for managing a computer network capable of ensuring thereliability of a security software.

[0016] Still another object of the present invention is to provide amethod of and a device for managing a computer network capable ofsuppressing a possible runaway of a security software.

[0017] Further another object of the present invention is to provide amethod of and a device for managing a computer network capable ofimproving safety for data from an external network.

[0018] Another object of the present invention is to provide a method ofand a device for managing a computer network capable of immediatelydetecting outbreak of a computer virus of a new type.

DISCLOSURE OF INVENTION

[0019] To solve the above problem of the prior art, the presentinvention utilizes the following means.

[0020] (1) In each computer coupled with a network, there is installed afixed type security dedicated module or a moving type security dedicatedsoftware to detect an injustice and/or to work out a countermeasure. Inthis case, when a computer sends an E-mail or a message such as databaseaccess data, the moving type security dedicated software isautomatically added to the E-mail or data. When the message arrives atthe destination, the software is separated therefrom such that thefunction of the moving type security dedicated software is executed bythe fixed type security dedicated module of the destination computer.The moving type security dedicated software is of a promotion type or anon-promotion type. Since the promotion-type software produces a newcopy thereof for each transmission destination before the transmissionthereof, the copy can be transferred through the entire network at apossibly highest speed. This accordingly solves the first drawbackabove.

[0021] (2) The moving type security dedicated software and securitynotification data include their own digital signature and hence areverified in either one of the following operations.

[0022] (a) In accordance with the digital signature, the fixed typesecurity dedicated module of the destination computer conductsverification to confirm that the moving type security dedicated softwareand the security notification data have not been falsified.

[0023] (b) The moving type security dedicated software periodicallyverifies itself to determine whether or not the security notificationdata thereof has been falsified. If it is determined that the data hasbeen falsified, the software changes the contents thereof through arewrite operation to invalidate itself.

[0024] (c) Any other moving type security dedicated software conductsverification by the digital signature to determine that the software hasnot been falsified.

[0025] With this provision, the second drawback above is solved.

[0026] (3) As a result of execution, the moving type security dedicatedsoftware outputs the security notification data of “acceleration” or“suppression”. The output data is communicated via the fixed typesecurity dedicated module to other fixed type security dedicatedmodules. When the data indicates “acceleration”, the moving typesecurity dedicated software in the inactivation list is moved to theactivation list and hence the priority level of the moving type securitydedicated software in the activation list becomes higher. When the dataindicates “suppression”, the moving type security dedicated software inthe activation list is moved to the inactivation list or the moving typesecurity dedicated software rewrites itself for the invalidationthereof. In this situation, the activation and inactivation lists arekept retained in the fixed type security dedicated module. If thereexists a moving type security dedicated software in the activation list,the software is executed. A moving type security dedicated softwareexisting in the inactivation list is deleted therefrom when the softwareis not executed for a predetermined period of time. This resultantlysolves the third drawback above.

[0027] (4) Each computer is provided with the fixed type securitydedicated software to conduct a check for the determination of acomputer in which the moving type security dedicated software isactivated. When data is introduced from an external system, the data iscopied onto the computer with the activated software for thesterilization thereof so that the sterilized data is introduced to theobjective computer.

[0028] (5) The moving type security dedicated software memorizes theconfiguration of any computer which the software visited before. Thesoftware (determines particularly suspicious data) among new data addedor among the updated data and moves the data to a computer exclusivelyused for execution to thereby quarantine the data from the network. Whenan injustice occurs due to a virus after the quarantine, a human managerwill work out a countermeasure. If no infection is detected for apredetermined period of time, the data is returned to the originalcomputer. With the provision, the fifth drawback is solved.

[0029] That is, in accordance with the present invention, there isprovided a computer network managing method for use in a computernetwork in which a plurality of computers are connected to each othervia transmission lines. When each of the computers sends a message toanother computer selected from the computers, said each computermemorizes and keeps therein data forming a moving type securitydedicated software, said data being added to the message fortransmission thereof. When said each computer receives the message fromsaid another computer, said each computer executes said moving typesecurity dedicated software in accordance with said data forming saidmoving type security dedicated software, said data being added to themessage.

[0030] Moreover, in accordance with the present invention, there isprovided a computer network managing device for use in a computernetwork in which a plurality of computers are connected to each othervia transmission lines. Each of the computers includes data forming amoving type security dedicated software, said data being added, whensaid each computer sends a message to another computer selected from thecomputers, to the message for transmission thereof, and a fixed typesecurity dedicated module for executing, when said each computerreceives the message from said another computer, said moving typesecurity dedicated software in accordance with said data forming saidmoving type security dedicated software, said data being added to themessage.

BRIEF DESCRIPTION OF DRAWINGS

[0031]FIG. 1 is a diagram showing constitution of a computer networksystem in an embodiment in accordance with the present invention;

[0032]FIG. 2 is a flowchart showing a processing procedure of a securityagent;

[0033]FIG. 3 is a flowchart showing another processing procedure of thesecurity agent;

[0034]FIG. 4 is a flowchart showing still another processing procedureof the security agent;

[0035]FIG. 5 is a diagram showing structure of a system to cope with acomputer virus by a computer in which a security dedicated software isactivated;

[0036]FIG. 6 is a diagram showing a distributed system in which a filesuspected for infection with a computer virus is quarantined in thesystem;

[0037]FIG. 7 is a flowchart showing a procedure to cope with a computervirus by a computer in which a security dedicated software is activated;

[0038]FIG. 8 is a flowchart in which a file suspected for infection witha computer virus is quarantined in the distributed system; and

[0039]FIG. 9 is a diagram for explaining a conventional security system.

BEST MODE FOR CARRYING OUT THE INVENTION

[0040] Referring now to the drawings, description will be given of anembodiment in accordance with the present invention.

[0041]FIG. 1 shows the configuration of an embodiment of the presentinvention in which a personal computer A 101, a WWW server 102, personalcomputer X 103, personal computer Y 104, Taro's personal computer 105,and a computer 106 as an epidemic prevention center are connected to anetwork 107. Personal computer A 101 includes a fixed-type securitymodule 108 in which an open key list according to type 109, anactivation list 111, an inactivation list 112, a security message list113, a WWW browser 110, and an access control unit 114 are arranged.

[0042] The access control unit 114 controls communication of databetween the fixed type security module 108 and an external device. Thedata is to be outputted from or to be inputted to the WWW browser 110.The control unit 114 inhibits any unauthorized access to the module 108.

[0043] The WWW browser 110 outputs data A 115 to the WWW server 102 andreceives data B 116 therefrom.

[0044] Data A 115 includes, in addition to an ordinary message 117usually communicated between the WWW server 102 and the WWW browser 110,security software E3 118, digital signature ST (E3) 119 for securitysoftware E3 generated by the Taro's personal computer 105, securitymessage M5 120 including a character string of “suppression” and “E5”,and digital signature SB (M5) 121 for security message M5 120 generatedby the epidemic prevention center 106.

[0045] Data B 116 includes, in addition to an ordinary message 122usually communicated between the WWW server 102 and the WWW browser 110,security software E4 123, digital signature SB (E4) 124 for securitysoftware E4 generated by the epidemic prevention center 106, securitymessage M2 125 including a character string of “acceleration” and “E2”,and digital signature SB (M2) 126 for security message M2 125 generatedby the epidemic prevention center 106.

[0046] The activation list 111 is a stack of first-in-first-out type inwhich data is sequentially inputted to be accumulated beginning at theupper-most position and from which data is sequentially outputtedbeginning at the lower-most position. Accumulated at the upper-mostposition is a pair 129 of security software E1 and its digital signatureSB (E1). At the second position, there is stored a pair 130 of securitysoftware E3 and its digital signature ST (E3).

[0047] The inactivation list 112 is a stack similar to that describedabove. Stored in the list 112 is a pair of security software and itsdigital signature SB (E2).

[0048] The security message list 131 is a stack similar to thatdescribed above. Stored in the list 131 is a pair of a character stringincluding “suppression” and “E5” and its digital signature SB (E2).

[0049] In the open key list according to type 109, there are set openkey “27F7EA98 . . . .” 127 of identification name “B: Epidemicprevention center” for type “promotion” and open key “76C3BBA8 . . . .”128 of identification name “T: Taro” for type “non-promotion”. Open key“27F7EA98 . . . .” 127 of “B: Epidemic prevention center” is used toverify validity of digital signature SB (.) such as SB (E1) 129 or SB(E2) 112 generated by the epidemic prevention center 106. Open key“76C3BBA8 . . . .” 128 of “T: Taro” is adopted to verify validity ofdigital signature ST (.) such as ST (E3) 130 generated by the Taro'spersonal computer 105.

[0050]FIG. 2 shows a processing flow of the WWW browser 110 when data A115 and data B 116 are communicated between the personal computer A 101and the WWW server 102. In step 201, the browser 110 starts itsoperation. In step 202, the browser 110 executes a receiving operation.In step 203, the browser 110 initiates operation of the securityfunction. In step 204, the browser 110 then conducts a check todetermine whether or not a security software is added to the receiveddata. If the software is present, control is passed to processing ofstep 205; otherwise, control is transferred to processing of step 209.

[0051] In step 205, the browser 110 executes subroutine A. In step 206,control is passed to processing of step 207 if the return value fromsubroutine A is 0. Otherwise, control is passed to processing of step209. In step 207, the browser 110 checks to determine whether or not asecurity software similar to the received security software has alreadybeen registered to the activation list 111 or the inactivation list 112.If such a software is present, control is transferred to step 208;otherwise, control is passed to step 209.

[0052] In step 208, the browser 110 adds the received security softwareto the stack of activation list 111 at the upper-most position. In step209, the browser 110 makes a check to determine whether or not atransmitting operation is to be conducted. If this is the case, controlis transferred to step 210; otherwise, control is passed to step 219. Instep 210, the browser 110 checks to determine whether or not theactivation list 111 is empty. If empty, control is passed to step 213;otherwise, control is transferred to step 211.

[0053] In step 211, the browser 110 acquires a security software fromthe stack of activation list 111, the software existing at thelower-most position thereof. In step 212, the browser 110 produces acopy of the security software and returns the copy to the originalposition of the stack of activation list 111. Control is then passed tostep 217.

[0054] In step 213, the browser 110 checks to determine whether or notthe inactivation list 112 is empty. If empty, control is passed to step219; otherwise, control is transferred to step 214. In step 214, thebrowser 110 acquires a security software from the stack of inactivationlist 112, the software existing at the lower-most position thereof. Instep 215, the browser 110 checks to determine whether or not thesecurity software is of the promotion type. If this is the case, controlis passed to step 216; otherwise, control is transferred to step 217.

[0055] In step 216, the browser 110 produces a copy of the securitysoftware and then returns the copy to the original position of the stackof inactivation list 112. In step 217, the browser 110 adds the securitysoftware to the transmission data and then transmits the resultant datatherefrom. In step 218, the browser 110 executes subroutine B.Thereafter, the WWW browser terminates its operation in step 219.

[0056]FIG. 3 shows a processing flow of subroutine A 205. Descriptionwill now be given of processing by referring to the flowchart.

[0057] In step 301, subroutine A starts operation thereof. In step 302,a check is carried out to determine whether or not the digital signatureadded to the security software is valid. If valid, control is passed tostep 303; otherwise, control is transferred to step 307. In step 303,control is passed to step 304 if the digital signature has beengenerated by the epidemic prevention center 106. If the signature hasbeen generated by the Taro's personal computer 105, control istransferred to step 305. Otherwise, control is passed to step 306.

[0058] In step 304, subroutine A determines that the security softwareis of the promotion type and then sets the return value to 0. In step305, subroutine A determines that the security software is of thenon-promotion type and then sets the return value to 0. In step 306,subroutine A writes a meaningless character string over the securitysoftware to thereby invalidate the software and then sets he returnvalue to 1. In step 307, subroutine A checks to determine whether or nota security message is added to the received data. If the message ispresent, control is passed to step 308; otherwise, control istransferred to step 312.

[0059] In step 308, subroutine A checks to determine whether or not thedigital signature of the security message is valid, namely, whether ornot the digital signature has been generated by the epidemic preventioncenter. If valid, control is transferred to step 309; otherwise, controlis passed to step 312.

[0060] In step 309, control is passed to step 310 if the securitymessage contains “acceleration”. If “suppression” is contained, controlis passed to step 311. In step 310, if the security software specifiedby the security message exists in the activation or inactivation list,subroutine A moves the software to the lower-most position of theactivation list. Otherwise, subroutine A passes control to step 312. Instep 311, if the security software specified by the security messageexists in the activation or inactivation list, subroutine A deletes thesoftware. Otherwise, subroutine A passes control to step 312.Thereafter, subroutine A terminates its operation in step 312.

[0061]FIG. 4 shows details of the procedure of the subroutine 209. Thisprocedure is associated with a list processing of the activation list111 and the inactivation list 112 of the embodiment.

[0062] Prior to execution of this processing, the subroutine 209calculates a load in accordance with the memory consummation, the diskconsummation, and the CPU utilization rate at the activation of thesecurity dedicated software. If the software is inactive for apredetermined period of time, control is passed to another computer (theprocess is terminated by the computer and the process is then-initiatedby another computer). On receiving the “suppression” signal, thesubroutine 209 terminates its operation. It is to be appreciated thatthere is required the capability of the security dedicated software todetect the conditions for operation as described above.

[0063] Next, description will be given of each step.

[0064] First, in step 401, the subroutine 209 checks to determinepresence or absence of condition of operation 1 (transmitting operationto instruct suppression). If the operation is present, control is passedto step 407; otherwise, control is passed to step 402. In step 402, thesubroutine 209 checks to determine whether or not the activation list111 is empty. If empty, control is transferred to step 407; otherwise,control is passed to step 403.

[0065] In step 403, the subroutine 209 acquires a security software fromthe lower-most position of the stack of activation list 111.Subsequently, in step 404, the subroutine 209 initiates the securitysoftware (sets the software to an activated state). In step 405, thesubroutine 209 adds a result of execution of step 404 to the stack ofthe security message to transmit the execution result to othercomputers. In step 406, the subroutine 209 stops the process of thesecurity software to set the software to an inactivated state.Thereafter, the subroutine 109 adds the software to the list of theinactivation list 112.

[0066] In step 407, the subroutine 209 checks to determine presence orabsence of condition of operation 2 (transmitting operation to instructactivation). If the operation is present, control is transferred to step408; otherwise, control is passed to step 210. In step 408, thesubroutine 209 checks to determine whether or not the inactivation list112 is empty. If empty, control is passed to step 210; otherwise,control is transferred to step 409. In step 409, the subroutine 209acquires a security software from the lower-most position of the stackof inactivation list 112. In step 410, the subroutine 209 checks todetermine whether or not a period of time has lapsed from a point oftime at which the security software is moved to the inactivation list.If this is the case, control is passed to step 414; otherwise, controlis transferred to step 411.

[0067] In step 411, the subroutine 209 initiates the security software(sets the software to an activated state). In step 412, the subroutine209 adds a result of execution of step 111 to the stack of securitymessage to transmit the execution result to other computers. In step413, the subroutine 209 stops the process of the security software andsets the software to an inactivated state and then adds the software tothe stack of inactivation list 112. In step 414, the security softwareis unnecessary for the computer and is the deleted therefrom.

[0068] It is to be appreciated that the stacks of the activation and inactivation lists can be simply constructed by a queue structure of thefirst-in-first-out type.

[0069] Next, description will be given of another embodiment of thepresent invention.

[0070]FIGS. 5 and 7 show the configuration and a flowchart of anotherembodiment in accordance with the present invention. FIG. 5 shows thesystem configuration and FIG. 7 is a processing procedure of the system.In this embodiment, when data is introduced from an external system, acomputer of which a moving type security first software is assumed as anentrance to the system of the embodiment to thereby conduct theprevention of epidemics in the overall system.

[0071] Description will be first given of the hardware configuration byreferring to FIG. 5.

[0072] A numeral 501 indicates an internal network and a numeral 502denotes an external network. Numerals 511 and 521 indicate computers(terminal devices) connected to the network 501. A computer 511 has ahard disk 512 and controls a file system 513. A computer 521 has a harddisk 522 to control a file system 523. A numeral 505 indicates acomputer (server) connected to the external network 502. A numeral 506denotes a computer (firewall) to separate the external network 501 fromthe internal network 502.

[0073] Description will be given of the software configuration byreferring to FIG. 5.

[0074] A numeral 540 indicates a server program which operates on thecomputer 505 and is, for example, a WWW server program. A numeral 541 isa client program which operates on the computer 511 and is, for example,a WWW client program. Each of the numerals 531 and 532 denotes asecurity dedicated software, and the software is circulated throughcomputers in the network 501 or is resident in a particular node. Inthis case, for simplification of explanation, it is assumed that thenumeral 531 indicates a fixed type software (called security clerk) onthe computer 511 and the numeral 532 denotes a moving type software(called security agent) active on the computer 521.

[0075] Referring now to FIG. 7, description will be given of operationsof the programs 531 and 532 in which data is downloaded from the program540 onto the program 541 to be stored on the hard disk 512 as a file ofthe file system 513.

[0076] Next, description will be given of each step of FIG. 7.

[0077] (1) Pre-processing

[0078] In step 701, the client program 541 issues a request for a filetransfer of data managed by the server program 540. In step 702, theserver program 540 receives the request from the client 541. In step703, the client program 541 issues to the security clerk 531 a requestof “preparation for sterilization of data to be downloaded”. In step704, the security clerk 531 receives the request of step 704 and makes asearch for a computer of which a security agent is activated. Forexample, the security clerk 531 conducts a broadcast communication toissue a pertinent enquiry to the security agent (or the security clerk)of each computer on the network 501. The security clerk 531 regards acomputer from which the answer is first received as the computer ofwhich the security agent is active. Alternatively, when a plurality ofsecurity agents are active, there may be employed a method in which thesecurity clerk 531 makes a judgement in accordance with the number ofactive security agents or the types thereof.

[0079] In step 705, the security clerk 531 transmits, in accordance withthe judgement in step 704, a request of step 703 to the program 532operating on the computer 521. In step 706, the security agent 532having received the request of step 703 prepares for operation. Thisexample shows an operation to mount the file system 523 as a partialtree structure onto the file system 513. Thereafter, the completion ofpreparation is notified to the security clerk 512.

[0080] In step 707, the security clerk 512 transmits to the program 541such information items obtained in steps 704 to 706 (as a mounting pointof the remote file system 523 and a type, an operation procedure, andthe like of the security agent 512).

[0081] (2) Main Processing

[0082] In step 711, the program 541 conducts the download operation inaccordance with a conventional file transfer protocol (e.g., FTP).However, the download destination is the remote file system 523 forwhich the security agent 512 is activated. In step 712, in accordancewith information obtained in step 707, the program 541 requests thesecurity agent 512 (again via the security clerk 531) to sterilize thefile downloaded in step 708.

[0083] In step 713, the security agent 532 conducts the sterilizingoperation. When any abnormality is detected, the downloaded data isdeleted. Thereafter, a result of operation is returned to the program541. In step 714, the program 541 moves the sterilized download datafrom the file system 523 to the file system 513.

[0084] (3) Post-processing

[0085] In step 721, the program 541 requests the security agent 541 (viathe security clerk 531) to demount the file system 523. In step 722, thesecurity agent 541 demounts the file system 523. In step 723, thesecurity agent 541 notifies the completion of the post-processing (viathe security clerk 531) to the program 541 to thereby complete theprocessing operation.

[0086] In the embodiment above, for simplification of explanation, theprogram 531 is a fixed type software and the program 532 is a movingtype software. However, the operation above can be achieved regardlessof the moving or fixed type of the software. It is an aspect of theembodiment that the program 531 and the program 532 can communicate witheach other to cooperatively conduct operation. In the conventional virusinspecting method, a computer (the computer 511 in this example) isinfected with a virus in an effective security dedicated software doesnot exist in the computer. However, in this embodiment, since thepresence of a security dedicated software is detected and there existsan entry program (clerk) for the mediation, it is possible to moreefficiently inspect the virus.

[0087]FIGS. 6 and 8 show another embodiment of the utilization method ofthe present invention. FIG. 6 is a system configuration diagram and FIG.8 is a processing procedure of the system. In this embodiment, a fileassociated with occurrence of an injustice due to a virus of a new typeis isolated from the distributed system to thereby conduct theprevention of epidemics in the overall system.

[0088] Referring to FIG. 6, description will be given of the hardwareconfiguration.

[0089] A numeral 601 indicates an internal network. Numerals 602, 611,and 621 are computers connected to the network 601. The computer 611 hasa hard disk 612. The computer 621 has a storage medium, for example, ahard disk 622. Moreover, the computer 621 also possesses a recordingmedium 623, for example, a magnetic tape which can be separated from thehard disk 622. On the hard disk 622, there exists a file 613 suspectedfor the infection with a virus. The computer 621 is a file server in thenetwork 601.

[0090] Referring now to FIG. 6, description will be given of thesoftware configuration.

[0091] A numeral 650 indicates a fixed type security dedicated software(to be called virus buster in this case) which operates on the computer621. A numeral 651 denotes a moving type security software (calledsecurity agent) which circulates through the network 601. The securityagent 651 has a table including a state obtained by the previousinspection of the computer 611 (the state includes, for example, thefile system configuration, the contents of the hard disk, and addressesof resident programs in the memory). A numeral 653 denotes a fixed typesecurity dedicated software (security clerk) for the mediation betweenthe virus buster 650 and the security agent 651.

[0092] Referring to FIG. 8, description will be given of an operation inwhich the file 613 suspected for the infection of a virus isprovisionally isolated by the file server 621 to prevent the infectionwith the computer virus of a new type through cooperation of theprograms 651, 650, and 653 related to security.

[0093] Next, description will be given of each step.

[0094] (1) Pre-processing

[0095] In step 801, the security agent 651 arrives at the computer 611and then starts a search. In step 802, in accordance with a list 652generated as a result of the previous circulation, the security agent651 makes a search for a file 613 suspected for infection with acomputer virus of a new type. As criteria for the suspected files, theremay be used, for example, a new file generated after the previouscirculation or a file updated also thereafter.

[0096] In step 803, the security agent 651 issues to the security clerk653 a request connection between the file server 621 and the computer611 via the network 601. In step 804, the security agent 651 transfersthe suspected file 613 to the file server 621. In this embodiment, it ismore desirable that the file server 621 is disconnected from the networkif there is not a request from the security agent 651 to the securityclerk 653.

[0097] In step 805, the security agent 651 again notifies to the virusbuster 650 in advance a procedure of moving the file 613 transferred instep 803 onto the hard disk 612. For example, the file is moved when thesecurity agent 651 again circulates through the computer 611.Alternatively, there may be determined a procedure to move the file 613when the illness is not detected after lapse of a period of timedetermined by the system.

[0098] (2) Main Processing

[0099] In step 811, the virus buster 650 monitors the computer 621 andthe hard disk 622. When an injustice is detected, the buster 650notifies the condition to the manager. In step 812, the virus buster 650stores the file just transferred from a computer on the network to beseparated from the files in which the illness is not detected for apredetermined period of time. For example, the buster 650 saves the fileon a medium (magnetic tape) 623 which can be separated from the harddisk. In this embodiment, there are employed two stages in associationwith the lapse of time and the number of media. However, a multi-stagesystem may be implemented depending on the system configuration.

[0100] (3) Post-processing

[0101] In step 821, the security agent 651 issues, in accordance with aprocedure determined in step 805, a request to transfer the file 613stored at the moment on the medium 623 (the illness not detected in thefile 613) to the original computer 611. In step 822, the security clerk653 issues an enquiry to the virus buster 650 for the transfer requestin step 821. When the virus buster 650 acknowledges, the security clerk653 again connects the computer 611 to the computer 621. Thereafter, instep 823, the security clerk 653 transfers the file 613 from the tape623 of the computer 621 to the hard disk 612 of the computer 611.

[0102] Thanks to the configuration of the embodiment above, the problemsof the prior art can be solved as follows.

[0103] (1) Even when the computer virus simultaneously invades thenetwork system at a plurality of positions thereof, the system can copewith the condition. That is, the security software 118 is added to theordinary message 117 sent from personal computer A 101 to the WWW server102, and the software is transmitted to all of the computers whichaccess the WWW server 102 such as personal computer X 103 and personalcomputer Y 104. Furthermore, the security software 123 generated by theepidemic prevention center 106 is of the promotion type and increases ingeometrical progression to propagate through the network 107.Consequently, it is possible to inspect the overall network 107 asquickly as possible to thereby remove any injustice. On the other hand,the security software 118 generated by the Taro's personal computer 105is of the non-promotion type and hence it takes time for the software118 to propagate through the entire network 107. However, this issuitable to locally work out the countermeasure through a relativelylow-speed monitoring operation. Comparing the system to the human immunesystem, the network 107 stands for the blood circulating system and theordinary message 117 circulates as blood therethrough. The WWW server102 is compared to the heart to circulate blood. The security softwareunits 118 and 123 stand for immune cells moving together with the bloodflow and propagate entirely through the human body, namely, the personalcomputer X 103 and personal computer Y 104 to repulse invading viruses.There are two kinds of immune cells; specifically, the security software123 which is generated by the epidemic prevention center 106 and whichhas relatively high reliability is compared to a lymphocyte having afunction to increase in number through promotion. The security software118 generated by the Taro's personal computer 105 is compared to amacrophage to serve a complementary function for the lymphocyte.

[0104] (2) Reliability of the security software can be retained. Thatis, if the security software 118 is falsified while the software 118 ismoving through the network 107, the falsified software 118 will notcontinue its operation. This is because the digital signature 119 ischecked for validity thereof in the computer to which the software 118is moved. Comparing the operation to that of the human body, when theimmune cell (security software 118) becomes out of order, the immunesystem (fixed type security module 108) resident in the destinationcomputer recognizes the condition and kills the cell. Additionally, thesecurity message 120 is compared to an interleukin which is anotification signal between immune systems. When the interleukin ischanged in quality, the immune system (fixed type security module 108)recognizes the state and ignores the condition (step 309).

[0105] (3) At occurrence of runaway of the security software, it ispossible to suppress the runaway. Namely, the execution result 132 ofthe security software is registered to the WWW server 102. When theepidemic prevention center 106 checks the results 132 and assumes anoccurrence of runaway, the center 106 registers a security message 125including a character string of “suppression” to the WWW server 102 tothereby send a signal to stop operation of the security software topersonal computer A. Comparing this operation to that of the human body,the message including “suppression” stands for the interleukin secretedfrom a suppresser T cell. Similarly, the security message containing“acceleration” is compared to the interleukin secreted from a helper Tcell.

[0106] As above, in accordance with the embodiment, the problems of theprior art can be solved; moreover, by keeping the executed securitysoftware in the inactivation list 112 for a predetermined period of time(step 411), it is possible, when a pertinent invasion occurs, to keep astate in which the countermeasure can be immediately worked out only byreceiving the security message with “acceleration”. This corresponds tothe function of the immune cell of the human body.

[0107] (4) The computer virus can be sterilized through the locationwhere the security software exists. This can be regarded as the immunefunction of the human body. For example, this corresponds to thefunction to activate an immune cell having a particular function foreach of internal organs such as the lung, the stomach, and theintestines which are invasion entrances of external viruses.

[0108] (5) It is possible to quickly detect occurrence of a computervirus of a new type. In relation to the human body, this corresponds tothe function of an immune cell against viruses in a particular internalorgan such as the lever.

INDUSTRIAL APPLICABILITY

[0109] In accordance with the present invention, there can be provided amethod of and a device for managing a computer network capable of copingwith simultaneous invasion of computer viruses at a plurality ofpositions of the computer network.

[0110] Moreover, in accordance with the present invention, there can beprovided a method of and a device for managing a computer networkcapable of ensuring reliability of the security software.

[0111] Furthermore, in accordance with the present invention, there canbe provided a method of and a device for managing a computer networkcapable of suppressing runaway of the security software.

[0112] Additionally, in accordance with the present invention, there canbe provided a method of and a device for managing a computer networkcapable of improving safety for data from an external network.

[0113] Moreover, in accordance with the present invention, there can beprovided a method of and a device for managing a computer networkcapable of immediately detecting occurrence of a computer virus of a newtype.

1. A computer network managing method for use in a computer network in which a plurality of computers are connected to each other via transmission lines, wherein when each of the computers sends a message to another computer selected from the computers, said each computer stores and holds therein data constituting a moving type security dedicated software, said data being added to the message for transmission thereof, and when said each computer receives the message from said another computer, said each computer executes said moving type security dedicated software in accordance with said data constituting said moving type security dedicated software, said data being added to the message.
 2. A computer network managing method in accordance with claim 1, wherein when said each computer detects an injustice to the network, said each computer notifies, in response to the detection of the injustice, information of the detection via said transmission lines to other computers of the system.
 3. A computer network managing method in accordance with claim 1, wherein when said each computer sends a message to another computer selected from the computers, said each computer sends data forming a moving type security dedicated software, the data being added to the message and said each computer memorizes and keeps therein the data forming the moving type security dedicated software.
 4. A computer network managing method in accordance with claim 1, wherein when said each computer sends a message to another computer selected from the computers, said each computer sends data forming a moving type security dedicated software, the data being added to the message and said each computer deletes therefrom the data forming the moving type security dedicated software.
 5. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software includes a plurality of moving type security dedicated software units of different operation types, the software units detecting different kinds of injustices and conducting different processing.
 6. A computer network managing method in accordance with claim 5, wherein said each computer memorizes and keeps therein two kinds of list including an activation list and an inactivation list, said each computer executes, when the activation list includes a moving type security dedicated software registered thereto, the moving type security dedicated software, and said each computer deletes, when a moving type security dedicated software registered to the inactivation list is not operated for a predetermined period of time, the moving type security dedicated software from the inactivation list.
 7. A computer network managing method in accordance with claim 6, wherein a moving type security dedicated software registered to the activation list is added, when said each computer sends a message therefrom, to the message for transmission thereof, and said moving type security dedicated software is separated from the message when the message arrives at a destination computer of the message and said software is automatically executed by the destination computer.
 8. A computer network managing method in accordance with claim 6, wherein said moving type security dedicated software outputs, as a result of execution thereof, security notification data indicating “acceleration” or “suppression”, said outputted data is transmitted to other computers of the system, when said data is received by one of said other computers and indicates “acceleration”, said moving type security dedicated software in said inactivation list is moved to said activation list and said moving type security dedicated software beforehand existing in said activation list is increased in an execution priority level, and when said data is received by one of said other computers and indicates “suppression”, said moving type security dedicated software in said activation list is moved to said inactivation list.
 9. A computer network managing method in accordance with claim 6, wherein when said moving type security dedicated software outputs, as a result of execution thereof, security notification data indicating “suppression”, the software moves itself to the inactivation list or rewrites itself for invalidation thereof.
 10. A computer network managing method in accordance with claim 1, wherein said message to be transmitted together with said moving type security dedicated software or said security notification data is an E-mail or database access data.
 11. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software includes a digital signature of its own and said fixed type security dedicated module in a destination computer of the message conducts verification by said digital signature to determine that said moving type security dedicated software has not been falsified.
 12. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software includes a data area to keep therein history of propagation and operation thereof, when said data area indicates that said software is already propagated to the destination computer, said software stops the moving thereof.
 13. A computer network managing method in accordance with claim 5, wherein said moving type security dedicated software includes a data area to keep therein an index indicating a magnitude of load resulted from operation of the software and one of said moving type security dedicated software units is selected from the activation list for execution thereof, said one software having a lowest load among the software units.
 14. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software encrypts itself when said software is outside said fixed type security dedicated module.
 15. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software includes a digital signature of its own and periodically conducts verification of the digital signature to determine whether or not said software has been falsified, and said software rewrites, when it is determined that said software is falsified, itself for invalidation thereof.
 16. A computer network managing method in accordance with claim 1, wherein said moving type security dedicated software verifies another moving type security dedicated software existing in a fixed type security dedicated module of a destination computer of the message and a digital signature thereof, and said moving type security dedicated software rewrites, when it is determined that said software in said module is falsified, said software in said module for invalidation thereof.
 17. A computer network managing method in accordance with claim 1, wherein said each computer keeps therein a list of a plurality of open keys, said keys being classified into two types of a promotion type and a non-promotion type, when said digital signature added to the moving type security dedicated software can be confirmed by an open key classified into the propagation type, said each computer determines that the moving type security dedicated software is of the promotion type, and when said digital signature added to the moving type security dedicated software can be confirmed by an open key classified into the non-propagation type, said each computer determines that the moving type security dedicated software is of the non-promotion type.
 18. A computer network managing method in accordance with claim 1, wherein said each computer is prevented from accessing internal data beyond a read range, a write range, and an execution rage beforehand allocated for each user.
 19. A computer network managing method in accordance with claim 1, wherein when copying data from an external system onto first one of said computers, said data is copied onto second one of said computers, said second computer including a plurality of moving type security dedicated software units in an active state, and said data in which no injustice is detected by said moving type security dedicated software is copied onto said first computer.
 20. A computer network managing method in accordance with claim 1, wherein one of said plural computers is set as a computer exclusively conducting countermeasure again injustices, and data in which injustice are detected by said plural moving type security dedicated software units is forcibly moved to said countermeasure dedicated computer.
 21. A computer network managing device for use in a computer network in which a plurality of computers are connected to each other via transmission lines, wherein each of the computers includes data forming a moving type security dedicated software, said data being added, when said each computer sends a message to another computer selected from the computers, to the message for transmission thereof, and a fixed type security dedicated module for executing, when said each computer receives the message from said another computer, said moving type security dedicated software in accordance with said data forming said moving type security dedicated software, said data being added to the message.
 22. A computer network managing device in accordance with claim 21, wherein said fixed type security dedicated module includes detecting means for detecting an injustice to the network, and notifying means for notifying, in response to the detection of the injustice by said detecting means, information of the detection via said transmission lines to other computers of the system.
 23. A computer network managing device in accordance with claim 21, wherein when said each computer sends a message to another computer selected from the computers, said each computer sends data forming a moving type security dedicated software, the data being added to the message and said each computer memorizes and keeps therein the data forming the moving type security dedicated software.
 24. A computer network managing device in accordance with claim 21, wherein when said each computer sends a message to another computer selected from the computers, said each computer sends data forming a moving type security dedicated software, the data being added to the message and said each computer deletes therefrom the data forming the moving type security dedicated software.
 25. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software includes a plurality of moving type security dedicated software units of different operation types, the software units detecting different kinds of injustices and conducting different processing.
 26. A computer network managing device in accordance with claim 25, wherein said fixed type security dedicated module memorizes and keeps therein two kinds of list including an activation list and an inactivation list, said module executes, when the activation list includes a moving type security dedicated software registered thereto, the moving type security dedicated software, and said module deletes, when a moving type security dedicated software registered to the inactivation list is not operated for a predetermined period of time, the moving type security dedicated software from the inactivation list.
 27. A computer network managing device in accordance with claim 26, wherein a moving type security dedicated software registered to the activation list is added, when said each computer sends a message therefrom, to the message for transmission thereof, and said moving type security dedicated software is separated from the message when the message arrives at a destination computer of the message and a function of said software is automatically executed by said fixed type security dedicated module the destination computer.
 28. A computer network managing device in accordance with claim 26, wherein said moving type security dedicated software outputs, as a result of execution thereof, security notification data indicating “acceleration” or “suppression”, said outputted data is transmitted via said fixed type security dedicated module to other said fixed type security dedicated modules of the system, when said data is received by one of said other fixed type security dedicated modules and indicates “acceleration”, said moving type security dedicated software in said inactivation list is moved to said activation list and said moving type security dedicated software beforehand existing in said activation list is increased in an execution priority level, and when said data is received by one of said other computers and indicates “suppression”, said moving type security dedicated software in said activation list is moved to said inactivation list.
 29. A computer network managing device in accordance with claim 26, wherein when said moving type security dedicated software outputs, as a result of execution thereof, security notification data indicating “suppression”, said software moves itself to the inactivation list or rewrites itself for invalidation thereof.
 30. A computer network managing device in accordance with claim 26, wherein said message to be transmitted together with said moving type security dedicated software or said security notification data is an E-mail or database access data.
 31. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software includes a digital signature of its own and said fixed type security dedicated module in a destination computer of the message conducts verification by said digital signature to determine that said moving type security dedicated software has not been falsified.
 32. A computer network managing device in accordance with claim 2, wherein said moving type security dedicated software includes a data area to keep therein history of propagation and operation thereof, when said data area indicates that said software is already propagated to the destination computer, said software stops the moving thereof.
 33. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software includes a data area to keep therein an index indicating a magnitude of load resulted from operation of the software and one of said moving type security dedicated software units is selected from the activation list for execution thereof, said one software having a lowest load among the software units.
 34. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software encrypts itself when said software is outside said fixed type security dedicated module.
 35. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software includes a digital signature of its own and periodically conducts verification of the digital signature to determine whether or not said software has been falsified, and said software rewrites, when it is determined that said software is falsified, itself for invalidation thereof.
 36. A computer network managing device in accordance with claim 21, wherein said moving type security dedicated software verifies another moving type security dedicated software existing in a fixed type security dedicated module of a destination computer of the message and a digital signature thereof, and said moving type security dedicated software rewrites, when it is determined that said software in said module is falsified, said software in said module for invalidation thereof.
 37. A computer network managing device in accordance with claim 21, wherein said fixed type security module keeps therein a list of a plurality of open keys, said keys being classified into two types of a promotion type and a non-promotion type, when said digital signature added to the moving type security dedicated software can be confirmed by an open key classified into the propagation type, said each computer determines that the moving type security dedicated software is of the promotion type, and when said digital signature added to the moving type security dedicated software can be confirmed by an open key classified into the non-propagation type, said each computer determines that the moving type security dedicated software is of the non-promotion type.
 38. A computer network managing device in accordance with claim 21, wherein said fixed type security module is prevented from accessing internal data beyond a read range, a write range, and an execution rage beforehand allocated for each user.
 39. A computer network managing device in accordance with claim 21, wherein when copying data from an external system onto first one of said computers, said data is copied onto second one of said computers, said second computer including a plurality of moving type security dedicated software units in an active state, and said data in which no injustice is detected by said moving type security dedicated software is copied onto said first computer.
 40. A computer network managing device in accordance with claim 21, wherein one of said plural computers is set as a computer exclusively conducting countermeasure again injustices, and data in which injustice are detected by said plural moving type security dedicated software units is forcibly moved to said countermeasure dedicated computer. 